Ransomware crooks make millions from porn-shaming scams

Ransomware is a growth industry that puts at least $5 million annually into criminals' coffers, Symantec said Thursday.

"If you look at the nature of the beast, it really puts the screws to you," said Kevin Haley, director of Symantec's security response team, in an interview yesterday. "We see so many gangs moving to ransomware, looking for new angles, new versions [of the malware], that we're going to see a lot of this in the future."

"Ransomware" is a long-standing label for malware that once on a personal computer cripples the machine or encrypts its files, then displays a message -- the ransom note -- that demands payment to restore control to the owner.

"It's an extortion racket," Symantec said in a white paper on the topic published Thursday.

The criminal strategy has been in play for at least a half-dozen years, but until relatively recently, was rare, ineffective and focused on Eastern European victims.

That's changed, said Haley, who ticked off a whole host of improvements to the scam, ranging from a more reliable payment mechanism and stronger encryption to completely locking up the PC and thwarting repairs by shaming the victim with on-screen pornography.

They've also expanded their hunting territory. "It began in 2011, when they started to move out of Eastern Europe, to Germany and the U.K., then began to move westward to the U.S," said Haley. From the first to the third quarters of 2012, for example, Symantec tracked a significant uptick in ransomware infections in the U.S.

Today's ransomware displays a message claiming that because the user browsed to illegal pornographic websites, the computer had been locked and a fine must be paid to regain control. The "fines" range between 50 and 100 in Europe, and are usually around $200 in the U.S.

The porn angle is ingenious, said Haley.

"The screen and keyboard are locked up," Haley said of the malware's impact. "All you can use is the number keypad to enter a PIN [to pay the criminals]. You're completely shut out of the computer. And few people will want to take their computer to someone for repair, because the screen says that you violated the law, and that you've been looking at pornography. And there's a pornographic image on the screen."

Symantec was able to estimate what criminals earn from ransomware after uncovering a command-and-control (C&C) server used by one family of the malware.

In a month-long stretch last summer, the server logged approximately 68,000 unique IP addresses representing infected PCs. During one 24-hour span, the server was pinged by 5,700 infected machines, 168 of which showed signs of having paid the ransom, a rate of about 3%.

The ransom note demanded $200 from each victim, putting $33,600 in the criminals' pockets. Extrapolating the 68,000 infections over the course of a month put the total at nearly $400,000.

Those amounts are maximums, said Symantec, since the criminals will lose some as they launder the money from the pre-paid cash cards that they tell victims to use to make ransom payments.

"Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," said Symantec's published report. "The real number is, however, likely much higher."

The criminal groups active in ransomware come from various backgrounds, said Haley. Some had been dealing scams that relied on fake antivirus software -- often called "scareware" -- that Haley said had largely "petered out." Others had been spreading Trojan horses that hijacked bank account credentials. And some were simply opportunists.

"It's an evolution, just like in any business," said Haley. "Someone tries something new, then others build on that. Others see an innovation and they just jump on it, too."

With more criminals migrating to ransomware -- and because the scam is profitable -- Haley expects that the problem will grow, and quickly. "It's predominantly porn now, but they'll shift away from that model and find others," Haley predicted. "Ransomware isn't new, but what's happened is that they've found a way to make money."

Because the ransomware infects PCs using advertisements on compromised adult websites, Symantec recommended that users refrain from clicking on such ads, and to keep Windows, Java, Flash, Adobe Reader and Windows updated with the most recent patches.

The Symantec report on ransomware can be found on its website ( download PDF).

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.